[New Tutorial For BT3 ONLY]One bluetooth post to rule them all!

[Dr_GrEeN]

Backtrack Ultimate Bluetooth Tutorial

Hey all

After I received lots of mail and requests I decided to shed some more light on bluetooth. In this tutorial I am going to be covering the following subjects...

1) Setting up your bluetooth equipment
2) Scanning and fingerprinting devices
3) Connectivity and RFCOMM
4) Bluebugging & Bluesnarfing

And as a merry Christmas to all at remote exploits

5) Making bluetooth sniffing hardware for $39.99

Video tutorials on different subjects will be added to this post over the next week.

OK lets begin the first subject might sound silly to most here but for the guys that just don't know I'm going to cover it anyway. To setup your bluetooth USB device simply plug it in and wait for 10 sec's. Then type in console

Code:

hciconfig hci0 up

And you should have your adapter up and working, you can test with the following command .....

Code:

hciconfig -a

And you should see something like the following .

Code:

hci0:   Type: USB
        BD Address: 00:11:22:33:44:55 ACL MTU: 678:8 SCO MTU: 48:10
        UP RUNNING
        RX bytes:85 acl:0 sco:0 events:9 errors:0
        TX bytes:33 acl:0 sco:0 commands:9 errors:0
        Features: 0xbf 0xfe 0x8d 0x78 0x08 0x18 0x00 0x00
        Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
        Link policy:
        Link mode: SLAVE ACCEPT
        Name: 'ISSCBTA'
        Class: 0x000000
        Service Classes: Unspecified
        Device Class: Miscellaneous,
        HCI Ver: 1.2 (0x2) HCI Rev: 0x1fe LMP Ver: 1.2 (0x2) LMP Subver: 0x1fe
        Manufacturer: Integrated System Solution Corp. (57)

Ok if you are stuck at this point I would suggest you go out and buy a compatible USB dongle for backtrack But if you are still with me lets move on.

Next is fingerprinting a bluetooth device. Fingerprinting is a term we use for profiling a device, and to do this backtrack has a collection of tools called bluez. Bluez is like the standard bluetooth package for linux. For fingerprinting we can use a couple of those tools. One is hcitool, we can use hcitool to scan for devices that are broadcasting. We scan with hcitool with the following command.

Code:

hcitool scan hci0

And you should see something like ...

Code:

Scanning ...
        00:11:22:33:44:55       hackme

You can also brute force scan for devices, backtrack also has you covered on this with a wonderful tool called btscanner. Btscanner can also inquiry scan You would use btscanner in a inquiry scan if you were wardriving.

The other is Sdptool, sdptool will browse our device for open channels and tell us what services are available on what channels.

We fingerprint devices with sdptool by issuing the following command

Code:

sdptool browse victim_Mac

And you should see something like this .........

Code:

Service Name: Serial Port
Service RecHandle: 0x10001
Service Class ID List:
  "Serial Port" (0x1101)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 2
Profile Descriptor List:
  "Serial Port" (0x1101)
    Version: 0x0100

Service Name: Dial-up Networking
Service RecHandle: 0x10002
Service Class ID List:
  "Dialup Networking" (0x1103)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 3
Profile Descriptor List:
  "Dialup Networking" (0x1103)
    Version: 0x0100

Service Name: OBEX File Transfer
Service RecHandle: 0x10007
Service Class ID List:
  "OBEX File Transfer" (0x1106)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 6
  "OBEX" (0x0008)
Profile Descriptor List:
  "OBEX File Transfer" (0x1106)
    Version: 0x0100

Service Name: Object Push
Service RecHandle: 0x10008
Service Class ID List:
  "OBEX Object Push" (0x1105)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 7
  "OBEX" (0x0008)
Profile Descriptor List:
  "OBEX Object Push" (0x1105)
    Version: 0x0100

Lets take a look at what we have, on two we have a serial port/channel on three we have dial up on 6 we have OBEX ftp and on 7 we have OPUSH.

All are interesting And no we have a pretty good idea about what the device is and so on.

Now on to the bit most people I speak to struggle with the dreaded RFCOMM :O. RFCOMM is a simple set of transport protocols, made on top of the L2CAP protocol, providing emulated RS-232 serial port. or in lamens terms they provide the language your device and laptop need to talk to each other.

Now the first thing to do is to setup our bluetooth configuration so lets go over to the /etc dir and get stuck in.

open /etc/bluetooth/hcid.conf and replace the lot with this

Code:

#
# HCI daemon configuration file.
#

# HCId options
options {
	# Automatically initialize new devices
	autoinit yes;

	# Security Manager mode
	#   none - Security manager disabled
	#   auto - Use local PIN for incoming connections
	#   user - Always ask user for a PIN
	#
	security auto;

	# Pairing mode
	#   none  - Pairing disabled
	#   multi - Allow pairing with already paired devices
	#   once  - Pair once and deny successive attempts
	pairing multi;

	# Default PIN code for incoming connections
	passkey "1234";
}

# Default settings for HCI devices
device {
	# Local device name
	#   %d - device id
	#   %h - host name
	name "device1";

	# Local device class
	class 0x000000;

	# Default packet type
	#pkt_type DH1,DM1,HV1;

	# Inquiry and Page scan
	iscan enable; pscan enable;

	# Default link mode
	#   none   - no specific policy 
	#   accept - always accept incoming connections
	#   master - become master on incoming connections,
	#            deny role switch on outgoing connections
	lm accept,master;

	# Default link policy
	#   none    - no specific policy
	#   rswitch - allow role switch
	#   hold    - allow hold mode
	#   sniff   - allow sniff mode
	#   park    - allow park mode
	lp rswitch,hold,sniff,park;
	auth enable;
	encrypt enable;
}

You can setup your own passkey and name, also go over to a shell and type

Code:

hciconfig -a

And copy the class to hcid.conf, save and exit. You could setup rfcomm here to but its a live cd.

Now restart your bluetooth device like so

Code:

bash /etc/rc.d/rc.bluetooth restart

And now we can setup our rfcomm binds, I will post a bash script when I have time but for now you will have to do it the manual way .

First thing is to setup our devices .....

Code:

mknod -m 666 /dev/rfcomm0 c 216 3
mknod -m 666 /dev/rfcomm1 c 216 6
mknod -m 666 /dev/rfcomm2 c 216 7

Ok what we did there is create three binds to our bluetooth device. First one is RFCOMM0 and is on channel 3 DUN Dial up, Second is RFCOMM1 and is on channel 6 FTP and the third is RFCOMM2 and is on channel 7 OBEX push.

Now lets connect it all up with sdptool.

Code:

sdptool add --channel=3 DUN
sdptool add --channel=6 FTP
sdptool add --channel=7 OPUSH

Now we have setup our bluetooth dongle correctly we can begin hacking

If I were to talk you though every possible exploit there is for bluetooth it would take all next year and I still wouldn't be finished so the two hack are going to be bluesnarfer and bluebugger.

Bluesnarfer connects to a target Bluetooth device via Bluetooth's OBEX Push profile. But instead of pushing a business card, it pulls, using a "get" request for files with known names, such as the phonebook file (telecom/pb.vcf) or the calendar file (telecom/cal.vcs), Bluebugger works in a similar way.
Also bear in mind that these security flaws can still be used against you. With a little bit of social engineering you could pre pair a phone to your laptop and exploit it from then onwards. Stand by for a video of bluesnarfer and bluebugger successfully completing a hack on my samsung d600.

Both are pretty strait forward to use now you have your bluetooth setup correctly. I'm not going to post commands because their is a video on the way. First bluebugger....

Code:

bluebugger 0.1 ( MaJoMu | www.codito.de )
-----------------------------------------

Usage: bluebugger [OPTIONS] -a <addr> [MODE]

       -a <addr>     = Bluetooth address of target

       Options:
       --------
       -m <name>     = Name to use when connecting (default: '')
       -d <device>   = Device to use (default: '/dev/rfcomm')
       -c <channel>  = Channelto use (default: 17)
       -n            = No device name lookup
       -t <timeout>  = Timeout in seconds for name lookup (default: 5)
       -o <file>     = Write output to <file>

       Mode:
       -----
       info                   = Read Phone Info   (default)
       phonebook              = Read Phonebook    (default)
       messages               = Read SMS Messages (default)
       dial <num>             = Dial number
       ATCMD                  = Custom Command (e.g. '+GMI')

       Note: Modes can be combined, e.g. 'info phonebook +GMI'

And Bluesnarfer ......

Code:

bluesnarfer, version 0.1 -
usage: bluesnarfer [options] [ATCMD] -b bt_addr

ATCMD     : valid AT+CMD (GSM EXTENSION)

TYPE      : valid phonebook type ..
example   : "DC" (dialed call list)
            "SM" (SIM phonebook)
            "RC" (recevied call list)
            "XX" much more

-b bdaddr : bluetooth device address
-C chan   : bluetooth rfcomm channel

-c ATCMD  : custom action
-r N-M    : read phonebook entry N to M
-w N-M    : delete phonebook entry N to M
-f name   : search "name" in phonebook address
-s TYPE   : select phonebook memory storage
-l        : list aviable phonebook memory storage
-i        : device info

Now for the finally how to turn an ordinary USB bluetooth dongle into a $1000 dollar sniffing tool

[spankdidly]

I have never gotten any of the bluetooth BS to work. Awesome tutorial though!

[Dr_GrEeN]

Finally and to say merry xmas here it is, how to turn an ordinary USB dongle with a Cambridge Silicon Radio chipset into the FTS4BT sniffing dongle Before we begin I would like to say I do not hold any responsibility for anybody breaking their equipment. You are doing this at your own risk : but hey for $39 who cares

I have been reading upon this for a while now and I was reading one of max@remote-exploit papers where he had changed the firmware using the bluez utilities to make the dongle go into RAW mode or promiscuous mode.

EDIT

Seems I was a bit keen in this tutorial as it turns out this mod was not successful after all. The reason being that there are two types of bluecore-4 chipset, BlueCore-4 rom and BlueCore-4 external. The ROM chip has the firmware embedded on the chip and the EXT model has external memory for the firmware. You need to be able to update the firmware to allow sniffing in windows.

To find out if you have the right type of chipset, type ........

Code:

hciconfig hci* revision

And if you see EXT excellent but see ROM and you are no go. Saying that ROM chipsets will still go into RAW mode and the FTS4BT software reads the device as compatible but calibration crashed for me.

Also it must be in promiscuous mode because we see bytes via hciconfig and RAW on the modes ??? I'm looking into this more at the moment so as I learn more I will add.

First lets backup your old firmware with dfutool.

Code:

dfutool -d hci0 archive backold.dfu

Select the corresponding number to your card. Next lets fire up the card

Code:

hciconfig hci0 up

This may not make sense now but it will very soon so pay attention lol. There are multiple places to read bytes on the stick. Depending on what card you are using these can be different. In general these are “Default” (0×0000), “param” (0×0008), “psi” (0×0001), “psf” (0×0002) and “psrom” (0×0004). If yours is different you cankeeptrying until you run out of numbers and then take the dongle back

Now we have have to hunt down the value of the USB product & vendor identifier.

To get the product ID type

Code:

bccmd psget -s 0x0000 0x02bf

And you shroud see

Code:

USB product identifier: 0x0001 (1)

And now the vendor ID

Code:

bccmd psget -s 0x0000 0x02be

From what I have read most of the time the stuff you need to edit is on psf 0×0002 but yours may be different. But theres only five it can be Now lets write the new ID

Code:

 bccmd psset -s 0×0000 0×02bf 0×0002

Now check the changes were made

Code:

bccmd psget -s 0x0000 0x02bf

And you should see now

Code:

USB product identifier: 0x0002 (2)

Sucsess !!!!!!

Now from what I have read 9 times out of ten you don't need to change your vendor ID but check to see if its 0×0a12 if not change that to.

Code:

 bccmd psset -s 0×0000 0×02be 0×0a12

And you are done, there is support for *nux but I have yet to find it but you can see it sniffing if you keep retyping hciconfig hci0 you will see the tx and rx byte rising and you are in RAW mode

Code:

drgr33n ~ # hciconfig hci0
hci0:   Type: USB
        BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
        UP RUNNING RAW
        RX bytes:41281 acl:0 sco:0 events:0 errors:0
        TX bytes:42532 acl:0 sco:0 commands:1971 errors:0

drgr33n ~ # hciconfig hci0
hci0:   Type: USB
        BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
        UP RUNNING RAW
        RX bytes:41293 acl:0 sco:0 events:0 errors:0
        TX bytes:42535 acl:0 sco:0 commands:1972 errors:0

drgr33n ~ # hciconfig hci0
hci0:   Type: USB
        BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
        UP RUNNING RAW
        RX bytes:41305 acl:0 sco:0 events:0 errors:0
        TX bytes:42538 acl:0 sco:0 commands:1973 errors:0

drgr33n ~ # hciconfig hci0
hci0:   Type: USB
        BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
        UP RUNNING RAW
        RX bytes:41317 acl:0 sco:0 events:0 errors:0
        TX bytes:42541 acl:0 sco:0 commands:1974 errors:0

drgr33n ~ # hciconfig hci0
hci0:   Type: USB
        BD Address: 00:11:67:5A:A5:C8 ACL MTU: 0:0 SCO MTU: 0:0
        UP RUNNING RAW
        RX bytes:41329 acl:0 sco:0 events:0 errors:0
        TX bytes:42544 acl:0 sco:0 commands:1975 errors:0

Now more and more stuff is coming out every month on this stuff so now it may seen pointless but give it 6 months and you will be laughing

Merry Christmas !

[spankdidly]

http://www.5min.com/Video/Eavesdropp...eadsets-925061

Funny Stuff.

I was able to get most of this working, however, my headset was not vulnerable or something.

[Re@lity]

Very nice write up

As you stated, this isn't an area that really gets much coverage, primarily because it has always been artificially *held* within the mega-bucks arena.
But I suppose I can understand why, too

[Dr_GrEeN]

Yea car whisperer is funny and a nice add too Cheers spankdidly

@ Re@lity yep thats why we have to bring their $1000 dollar bill down to $39 ;D

[ESC201]

Just as some side info, if you are using a logitech bluetooth adapter that came with your keybaord/mouse you may get an issue with the hciconfig hci0 up command. To remedy this, enter the commands...
hid2hci
hciconfig hci0 up
and last to make sure its up, hciconfig -a

This probably doesn't apply to many people but oh well.
(I had that problem though. Thanks google. )

[Andy90]

Dr_Green I love you !!!

Will have a go at this lot the other side of the weekend

Much appreciated.

[tsunami]

Great Dr_Greeeeeeeennnnnnn!

[Dr_GrEeN]

Thanks guys glad you liked it, sorry about the bad english and spelling, It was late last nite and I was running on about 10 % brainpower Just been through and sorted the odd really bad bits out.